Revoked EuroDOCSIS™ manufacturer certificates

What are compromised certificates?

Manufacturer certificates make sure all modems are guaranteed to be produced under authority of the manufacturer certificate. This makes MAC address spoofing of those modems impossible and provides authentication of the modem to the CMTS.

If there is any doubt on the certificate owner’s security (e.g. abuse or misuse of the certificate’s private key), the certificate is marked as compromised. One can no longer be absolutely sure that a modem signed by this certificate is actually produced by the owner of the certificate. The MAC address of such a modem can no longer be trusted to be a legitimate MAC address.

What if a certificate is compromised?

When a manufacturer certificate is compromised, it is revoked by the authority that signed the manufacturer certificate, the Euro-DOCSIS Cable Modem Root Certificate Authority.

(Euro)DOCSIS provides a mechanism in the CMTSs to install or mark a manufacturer certificate as revoked/untrusted. When configured like that, the CMTS will no longer accept any modems signed by that manufacturer certificate onto the network.

It’s important to configure all your current and future CMTSs to reject revoked certificates. That way, you can avoid unauthorized cable modems or theft of service on your network. Note that this will also deny service to legitimate customers using that certificate (see further).

As an operator, what do I need to do to be on the safe side again?

In short:

  • If you are not running BPI+, you’re not using certificates and you’re not protected against the aforementioned threats anyway, so enable BPI+ asap.
  • If you don’t have any legitimate customers using the revoked manufacturer certificate supplier, install the manufacturer certificate as untrusted on all your CMTSs.
  • If you do have legitimate customers using the revoked certificate:
    • Contact the supplier of the revoked certificate for an upgrade solution. In the meantime, increase the surveillance for duplicate MAC addresses.
    • Once your legitimate customers have received the upgrade, install the manufacturer certificate as untrusted on all your CMTSs.

Details can be found in the paragraphs below.

Which certificates are revoked?

Currently, only one Manufacturer certificate has been revoked, this is the certificate with serial number 0x18d93d04728fce2fbaa781a81f926a43 (33029437896493652553816232095793703491 in decimal)

How can I check if a revoked certificate is used?

All certificates seen by a CMTS are stored in the docsBpi2CmtsCACertTable MIB table (from DOCS-IETF-BPI2-MIB).

One of the entries in that table is the docsBpi2CmtsCACertSerialNumber.

Do an SNMP walk on the docsBpi2CmtsCACertSerialNumber and check if one of the results is equal to (one of) the revoked certificates’ serial number. For example, using SNMP v2 and a command line tool:

# snmpwalk –v 2c –c <community> <cmts_ip> docsBpi2CmtsCACertSerialNumber

My CMTS is not using that certificate, am I safe now?

No, because (Euro)DOCSIS is designed to accept any correctly signed cable modem by default, the certificate might be used by a hacked modem in the future without you noticing it. Hence, it is important to configure ALL your CMTSs not to accept the revoked certificate anymore!

The procedure to do so is explained below.

What if I have legitimate customers using the certificate?

If the manufacturer is one of your suppliers, contact the manufacturer for a solution not requiring the use of the revoked certificate.

How do I configure a CMTS not to accept a revoked certificate?

Once your devices have been upgraded (or if you don’t use that manufacturer), you can revoke the certificate in your network. Don’t do this if your devices have not been upgraded, otherwise they will be rejected, and your customers will be denied service!

Two centralized methods are defined in the specifications (CRL and OCSP). None of these are required to be supported. No public CRL or OCSP service for (Euro)DOCSIS exists.

A distributed way to configure your CMTSs is to add an entry in the docsBpi2CmtsCACertTable and configure it to be untrusted (2):

# snmpset –v 2c –c <community> <cmts_ip> docsBpi2CmtsCACertStatus.<index> i 4 docsBpi2CmtsCACertTrust.<index> i 2 docsBpi2CmtsCACert.<index> x <hexString>

<index> is any unused index, the (very long) <hex string> is the hex representation of the actual Manufacturer certificate that is being revoked. The necessary hex string for the aforementioned certificate with serial number 0x18d93d04728fce2fbaa781a81f926a43 can be downloaded here.

 

Download the text file and copy its contents in the above command line.

If the entry is already present, simply put it to untrusted (docsBpi2CmtsCACertTrust = untrusted(2))

If createAndGo(4) is not supported by your CMTS, you can use separate snmp set commands (first set to CreateAndWait(5), afterwards set to active(1)).

If adding a certificate entry using SNMP is not supported by your CMTS, please contact your vendor for a vendor proprietary way to do so.

Note that it’s important to do this step even if you are not using a manufacturer from any revoked certificate. Devices using those certificates (could be hacked modems) might be introduced into your network without your knowledge.

How can I see if a modem is using a revoked certificate?

Once the revoked certificate is marked or installed as untrusted on the CMTS, all modems using that certificate will be denied service. To find out if there are any modems using an untrusted manufacturer certificate, check the docsBpi2CmtsAuthBpkmCmCertValid entries on the CMTS:

# snmpwalk –v 2c –c <community> <cmts_ip> docsBpi2CmtsAuthBpkmCmCertValid

If any entry has a value of 4 (invalidCAUntrusted), that means it’s using a revoked certificate!

To find out the actual MAC address (legitimate customer or hacked modem) is using the revoked certificate, you can parse the instance of the entry, instance is ifIndex of the CMTS MAC interface, followed by the mac address in decimal dotted notation, e.g. for MAC domain ifIndex 3, a resulting entry

docsBpi2CmtsAuthBpkmCmCertValid.3.0.255.0.10.11.12 = INTEGER: 4

would mean MAC address 00:FF:00:0A:0B:0C is using a revoked manufacturer certificate.

How can I see that lack of service for a customer is caused by the revoked certificate?

Similar to the step above, find out on which MAC interface (MAC domain) of which CMTS the modem is located, and do an SNMP get on the cert status:

# snmpget –v 2c –c <community> <cmts_ip> docsBpi2CmtsAuthBpkmCmCertValid.<ifIndex>.<mac_addess_in_dotted_decimal>

If the return value is 4 (invalidCAUntrusted), the service is indeed denied because that modem is using the revoked certificate.

Sample scripts

We have created sample scripts (Python 3) to help you with the process explained above: download the Certificate Tools.

Further questions?

If you have any more questions regarding this procedure, please contact testing@excentis.com.